Category Archives: Data Security

NIST Launches Development of Voluntary Privacy Risk Management Framework

The National Institute of Standards and Technology (NIST) has launched a collaborative effort to develop a voluntary framework that will help organizations manage privacy risks and protect consumer privacy when developing and using innovative technologies. According to NIST, a robust cybersecurity program can help manage risks, but organizations need customizable tools for addressing the challenges… Continue Reading

FTC Approves ESRB’s Updated COPPA Safe Harbor Program

By Sheila Millar and Tracy Marshall on August 17, 2018 Posted in Data Security, Privacy

The Federal Trade Commission (FTC) approved modifications to the video game industry’s Children’s Online Privacy Protection Act (COPPA) program. Earlier this year, the Entertainment Software Ratings Board (ESRB) proposed several substantive changes intended to take account of recent FTC COPPA rules and guidance. To receive FTC approval, COPPA safe harbor programs must “implement substantially similar… Continue Reading

California Company Settles with FTC over Alleged Privacy Shield Misrepresentations

By Sheila Millar and Tracy Marshall on July 16, 2018 Posted in Data Security, Privacy

If a company claims to be certified under the EU-U.S. Privacy Shield framework when it hasn’t even completed the paperwork, the Federal Trade Commission (FTC) isn’t likely to let it slide. ReadyTech, a California-based online training services company, made such a claim on its website, in violation of the FTC Act’s prohibition against deceptive acts… Continue Reading

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach – Updated July 2018

By Sheila Millar and Tracy Marshall on July 10, 2018 Posted in Data Security, Privacy

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues. This summary provides an overview of the similarities and differences in data breach laws adopted in the 50 United States and the District of Columbia and includes laws enacted since our… Continue Reading

Online Talent Company Settles with FTC Over Alleged COPPA Violations

By Sheila Millar and Tracy Marshall on February 9, 2018 Posted in Data Security, Privacy

Online talent search company Explore Talent just landed in the spotlight of the Federal Trade Commission (FTC). The Vegas-based company was charged with violating the Children’s Online Privacy Protection Act (COPPA), which requires that companies collecting information online must obtain informed, verifiable parental consent before collecting any information from a child under 13. The company… Continue Reading

Senate Bill Would Give FTC Enforcement Power Over Credit Bureaus

By Sheila Millar and Tracy Marshall on January 17, 2018 Posted in Data Security

In response to the Equifax data breach last September, when hackers gained access to the personal information of 143 million consumers, Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced a bill, The Data Breach Prevention and Compensation Act of 2018, that would ultimately impose security obligations on credit reporting agencies (CRAs). The bill… Continue Reading

FTC Green Lights TRUSTe’s Proposed Safe Harbor Program Modifications

By Sheila Millar on August 14, 2017 Posted in Data Security

The Federal Trade Commission (FTC) has approved changes TRUSTe proposed to its safe harbor program several months ago under the Children’s Online Privacy Protection Act (COPPA) Rule. The approved modifications include a new requirement that program participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online… Continue Reading

Are Your Security Tools Up to Date?

By Sheila Millar and Tracy Marshall on May 22, 2017 Posted in Cybersecurity, Data Security, Privacy

The effects of the massive cyberattack using ransomware known as “Wanna Cry” are still being felt all over the world. Tens of thousands of organizations have been infected, including the UK’s National Health Service, which ran some services on an emergency-only basis the day the attack began in earnest. Some security experts surmise that the… Continue Reading

NTIA Announces Multistakeholder Workshop on IoT Security Patching

By Sheila Millar and Tracy Marshall on September 19, 2016 Posted in Cybersecurity, Data Security

The National Telecommunications and Information Administration (NTIA) has announced it is convening a series of multistakeholder meetings concerning Internet of Things (IoT) Security Upgradability and Patching. The initial meeting will be held in Austin, Texas, on October 19, 2016. An associated Federal Register notice (expected to be published September 19, 2016) describes the short-term goal… Continue Reading

FCC Grants TCPA Relief to Energy Utilities and Schools

By Tracy Marshall on August 5, 2016 Posted in Data Security, Privacy

On August 4, 2016, the Federal Communications Commission (FCC) released a Declaratory Ruling granting in part two separate petitions that were filed last year – one by the Edison Electric Institute and American Gas Association, and another by Blackboard, Inc. – regarding application of the Telephone Consumer Protection Act of 1991 (TCPA) to certain types… Continue Reading

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach (Updated June 2016)

By Sheila Millar and Tracy Marshall on June 23, 2016 Posted in Data Security, Privacy, Regulations

We have updated our summary of state data breach notification laws in light of recent amendments to some of the laws since our last update in September 2015. Notably, Tennessee amended its data breach notification law, the Identity Theft Deterrence Act, effective July 1, 2016, by eliminating an encryption safe harbor and requiring that affected… Continue Reading

Supreme Court Requires Plaintiffs to Show Harm or Risk of Harm, Not Bare Procedural Violation, to Get Statutory Damages

By Sheila Millar, Douglas Behr and Tracy Marshall on June 2, 2016 Posted in Cybersecurity, Data Security, Litigation, Privacy

Joe Ravi | CC-BY-SA 3.0 Last year, we noted that the Supreme Court had granted certiorari in a case that could limit the ability of plaintiffs to sue defendants over bare statutory violations without the showing of actual injury. The case implicates a wide variety of statutes that grant monetary awards to successful plaintiffs on… Continue Reading

Appeals Court Agrees That Health Solutions Provider’s Insurance Requires Defense in Data Disclosure Class Action

By Douglas Behr and Sheila Millar on April 13, 2016 Posted in Data Security, Litigation, Privacy

Availability of insurance is often among the first questions that arises when a company encounters a data breach or other Internet-related problem involving company records, even where the company lacks a cyberinsurance policy. The federal Fourth Circuit Court of Appeals recently affirmed a ruling by a District Court that required insurance coverage for an inadvertent… Continue Reading

The FCC Continues Privacy Push with Draft Proposal Regulating ISP Customers’ Data

By Sheila Millar and Tracy Marshall on March 11, 2016 Posted in Data Security, Privacy, Regulations

On the heels of the Open Internet Order adopted by the Federal Communications Commission (FCC) last year, FCC Chairman Tom Wheeler has circulated a Notice of Proposed Rulemaking (NPRM) to fellow Commissioners that would apply the privacy protections of the Communications Act to broadband Internet access services. Wheeler’s proposal will be voted on at the… Continue Reading

European Commission Releases Draft Text of Adequacy Decision on EU-U.S. Privacy Shield

By Sheila Millar and Tracy Marshall on March 2, 2016 Posted in Data Security, Privacy

On February 29, 2016, the European Commission’s (EC) released a much anticipated draft adequacy decision on the EU–U.S. Privacy Shield. With this and enactment of the Judicial Redress Act last week (see our post here), the European Union came yet another step closer to finalizing the agreement between the EU and the U.S. to enable… Continue Reading

Agreement Reached on Landmark EU Data Protection Reform

By Sheila Millar and Tracy Marshall on December 18, 2015 Posted in Data Security, Privacy

On December 15, 2015, the European Commission announced that an agreement has been reached with the European Parliament and the Council (the “trilogue” meetings) regarding the Commission’s sweeping 2012 EU Data Protection Reform proposal. The reform package, which consists of a General Data Protection Regulation and a Data Protection Directive for Police and Criminal Justice… Continue Reading

False Advertising Contempt Suit Costs LifeLock $100 Million

By Sheila Millar and Tracy Marshall on December 17, 2015 Posted in Data Security, Litigation, Privacy

On December 17, 2015, the Federal Trade Commission (FTC) announced that Lifelock, Inc. (LifeLock), agreed to pay a record-breaking $100 million to settle charges that it violated an earlier consent agreement related to flawed data security practices issued in March 2010. The LifeLock settlements implicate both the “fairness” of the company’s data security practices and… Continue Reading

Life After the U.S.–EU Safe Harbor

By Sheila Millar and Tracy Marshall on November 3, 2015 Posted in Data Security, Privacy

We’ve written about the ground-breaking and panic-inducing ruling of the European Court of Justice (ECJ) invalidating the U.S.–EU Safe Harbor framework as an adequate data transfer mechanism, and ruling that national authorities are not bound by Commission approvals. Click here for our September 23, 2015 blog post, and here for a related October 16, 2015… Continue Reading

Article 29 WP Says Safe Harbor Transfers Illegal; Model Clauses and BCRs Under Review

By Sheila Millar and Tracy Marshall on October 16, 2015 Posted in Data Security, Litigation, Privacy

The Article 29 Working Party (WP) issued a press release on October 16, 2015 announcing the outcome of the meeting to discuss coordinated action after the Court of Justice of the European Union (ECJ) decision in the matter of Schrems v. Data Protection Commissioner (C-362-14), which invalidated the U.S.-EU Safe Harbor Agreement. While calling for… Continue Reading

EU Official Calls for Invalidation of EU–U.S. Safe Harbor Pact

By Sheila Millar and Tracy Marshall on September 23, 2015 Posted in Data Security, Privacy

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is… Continue Reading

In Commission Win, Appeals Court Agrees that FTC Can Regulate Business Data Security Practices Under Unfairness Authority

By Sheila Millar and Tracy Marshall on August 26, 2015 Posted in Cybersecurity, Data Security, Privacy

In a closely watched case where the Federal Trade Commission (FTC) pursued Wyndham Worldwide Corporation for several data breaches that led to millions of dollars in fraudulent charges on customers’ payment cards, the U.S. Court of Appeals for the Third Circuit on Monday agreed with the Commission’s broad interpretation of its “unfairness” authority (opinion here).… Continue Reading

Tips for Writing Social Media Policies

By Sheila Millar and Tracy Marshall on July 15, 2015 Posted in Advertising, Data Security, Privacy, Regulations, Sweepstakes & Promotions

As many marketers spend a large and growing share of the ad spend on social media, basic principles of truthful advertising must be kept in mind and applied in the new and varied media. After all, the platforms may change, but the underlying requirements do not. Thus, for responsible marketers, a robust social media policy… Continue Reading